API Object - access_tier_local_config

  • Updated on Nov 05, 2022

Access Tier Local Config Metadata

// Unused
type Metadata struct {}

Access Tier Local Config Spec

type Spec struct {
  // Unused by client
	*BaseParameters `json:"base,omitempty"`

	// Parameters related to Netagent logging
	*LoggingParameters `json:"logging,omitempty"`

	// Parameters related to event rate limiting
	*EventParameters `json:"events,omitempty"`

	// Parameters related to hosted web service handling
	*HostedWebServiceParameters `json:"hosted_web_services,omitempty"`

	// Parameters related to infrastructure service handling
	*InfrastructureServiceParameters `json:"infrastructure_services,omitempty"`

	// Parameters related to denial-of-service protection
	*DoSProtectionParameters `json:"dos_protection,omitempty"`

	// Parameters related to debugging and serviceability
	*DebuggingParameters `json:"debugging,omitempty"`

	// ... everything else
	*MiscellaneousParameters `json:"miscellaneous,omitempty"`

	// Parameters related to service discovery
	*ServiceDiscoveryParameters `json:"service_discovery,omitempty"`

	// Unused by client
	// Initial spec for local config is saved
	Spec *string `json:"spec,omitempty"`
}

BaseParameters

Type

type BaseParameters struct {
  // Current access tier's associated shield address
  ShieldAddress *string `json:"shield_address,omitempty"`

  // Current access tier's site address
  SiteAddress *string `json:"site_address,omitempty"`
}

LoggingParameters

Type

type LoggingParameters struct {
  // Controls verbosity of logs to console
	ConsoleLogLevel *string `json:"console_log_level,omitempty" valid:"in(ERR|WARN|INFO|DEBUG)"`

	// Controls verbosity of logs to file
	FileLogLevel *string `json:"file_log_level,omitempty" valid:"in(ERR|WARN|INFO|DEBUG)"`

	// Whether to log to file or not
	FileLog *bool `json:"file_log,omitempty"`

	// For file logs: Number of files to use for log rotation
	LogNum *int `json:"log_num,omitempty"`

	// For file logs: Size of each file for log rotation
	LogSize *int `json:"log_size,omitempty"`

	// Enable or disable StatsD
	StatsD *bool `json:"statsd,omitempty"`

	// StatsD endpoint for use if StatsD is enabled
	StatsDAddress *string `json:"statsd_address,omitempty"`
}

Defaults

var DefaultLoggingParameters = LoggingParameters{
  ConsoleLogLevel: "ERR",
  FileLogLevel:    "INFO",
  FileLog:         true,
  LogNum:          10,
  LogSize:         50,
  StatsD:          false,
  StatsDAddress:   "127.0.0.1:8125",
}

EventParameters

Type

type EventParameters struct {
  // Enable or disable Netagent access event rate limiting
	CreditsLimiting *bool `json:"access_event_credits_limiting,omitempty"`

	// Number of credits to assign after an interval
	CreditsPerInterval *int `json:"access_event_credits_per_interval,omitempty"`

	// After this interval, assign number of credits per the above
	CreditsInterval *time.Duration `json:"access_event_credits_interval,omitempty"`

	// Maximum number of credits to assign a Netagent
	// One event consumes one credit
	CreditsMax *int `json:"access_event_credits_max,omitempty"`

	// Enable or disable Netagent access key event rate limiting
	KeyLimiting *bool `json:"access_event_key_limiting,omitempty"`

	// After this interval, another access key event may be generated
	KeyExpiration *time.Duration `json:"access_event_key_expiration,omitempty"`
}

Defaults

var DefaultEventParameters = EventParameters{
  CreditsLimiting:     true,
  CreditsPerInterval:  5,
  CreditsInterval:     60 * time.Second,
  CreditsMax:          5000, // Docs incorrect: 1k -> 5k
  KeyLimiting:         true,
  KeyExpiration:       540 * time.Second,
}

HostedWebServiceParameters

Type

type HostedWebServiceParameters struct {
  // Forward Banyan trust cookie to upstream servers
	ForwardTrustCookie *bool `json:"forward_trust_cookie,omitempty"`

	// Disable HTTP Strict Transport Security
	DisableHSTS *bool `json:"disable_hsts,omitempty"`
}

Defaults

var DefaultHostedWebServiceParameters = HostedWebServiceParameters{
  ForwardTrustCookie: false,
  DisableHSTS:        false,
}

InfrastructureServiceParameters

Type

type InfrastructureServiceParameters struct {
  // Maximum lifetime for TCP sockets handled by Netagent
	MaximumSessionTimeout *time.Duration `json:"maximum_session_timeout,omitempty"`
}

Defaults

var DefaultInfrastructureServiceParameters = InfrastructureServiceParameters{
  MaximumSessionTimeout: 43200 * time.Second,
}

DoSProtectionParameters

Type

type DoSProtectionParameters struct {
  // Enable or disable DoS protection
	BadActor *bool `json:"bad_actor,omitempty"`

	// Number of unauthorized requests before an offending IP address is jailed
	InfractionCount *int `json:"infraction_count,omitempty"`

	// Jail interval after which bad actor is freed
	SentenceTime *time.Duration `json:"sentence_time,omitempty"`
}

Defaults

var DefaultDoSProtectionParameters = DoSProtectionParameters{
  BadActor:         false,
  InfractionCount:  10,
  SentenceTime:     600 * time.Second,
}

DebuggingParameters

Type

type DebuggingParameters struct {
  // Verbose logging for HTTP backend traffic
	HTTPBackendLog *bool `json:"http_backend_log,omitempty"`

	// Enable or disable visibility mode
	// If on, Netagent will not do policy enforcement on inbound traffic
	VisibilityOnly *bool `json:"visibility_only,omitempty"`

	// If Shield is not available, policies will be treated as if they are permissive
	// Zero means this is disabled
	ShieldTimeout *time.Duration `json:"shield_timeout,omitempty"`

	// Enable TCP keepalive messages for TCP sockets handled by Netagent
	KeepAlive *bool `json:"keep_alive,omitempty"`

	// Idle time before sending a TCP keepalive
	KeepIdle *time.Duration `json:"keep_idle,omitempty"`

	// Time between consecutive TCP keepalive messages
	KeepInterval *time.Duration `json:"keep_interval,omitempty"`

	// Number of missing TCP keepalive acknowledgements before closing connection
	KeepCount *int `json:"keep_count,omitempty"`

	// Output file for CPU profiling; may impact performance
	// If empty, this is disabled
	CPUProfile *string `json:"cpu_profile,omitempty"`

	// Output file for memory profiling; may impact performance
	// If empty, this is disabled
	MemProfile *bool `json:"mem_profile,omitempty"`

	// Host only mode
	HostOnly *bool `json:"host_only,omitempty"`

	// Disable Docker monitoring
	DisableDocker *bool `json:"disable_docker,omitempty"`

	// Send all-zero data points to Shield
	SendZeros *bool `json:"send_zeros,omitempty"`

	// Interval for reporting statistics
	Period *int `json:"period,omitempty"`

	// Generate access events at the request level
	RequestLevelEvents *bool `json:"request_level_events,omitempty"`

	// Provide client address transparency
	AddressTransparency *bool `json:"address_transparency,omitempty"`

	// Netagent will generate RSA instead of ECDSA keys
	UseRSA *bool `json:"use_rsa,omitempty"`

	// Include non-root (intermediate) CA certs during TLS handshakes
	FullServerCertChain *bool `json:"full_server_cert_chain,omitempty"`

	// Enable or disable OpenID Connect
	CodeFlow *bool `json:"code_flow,omitempty"`

	// HTTP inactivity timeout
	InactivityTimeout *time.Duration `json:"inactivity_timeout,omitempty"`

	// Client identification timeout
	ClientTimeout *time.Duration `json:"client_timeout,omitempty"`
}

Defaults

var DefaultDebuggingParameters = DebuggingParameters{
  HTTPBackendLog:        false,
  VisibilityOnly:        false,
  ShieldTimeout:         0 * time.Second,
  KeepAlive:             true,
  KeepIdle:              59 * time.Second,
  KeepInterval:          59,
  KeepCount:             3,
  CPUProfile:            "",
  MemProfile:            false,
  HostOnly:              true,
  DisableDocker:         false,
  SendZeros:             false,
  Period:                20,
  RequestLevelEvents:    true,
  AddressTransparency:   true,
  UseRSA:                false,
  FullServerCertChain:   true,
  CodeFlow:              false,
  InactivityTimeout:     3600 * time.Second,
  ClientTimeout:         20 * time.Second,
}

MiscellaneousParameters

Type

type MiscellaneousParameters struct {
  // Enable or disable access tier mode
	// If disabled, then uses host agent mode
	AccessTier *bool `json:"access_tier,omitempty"`

	// Arbitrary key-value pairs used for attribute matching on Netagent
	HostTags map[string]string `json:"host_tags,omitempty"`

	// TCP listen port on Netagent host for proxying incoming connections
	ListenPort *int `json:"listen_port,omitempty" valid:"range(1024|65535)"`

	// TCP listen port on Netagent host for health checks
	ListenPortHealth *int `json:"listen_port_health,omitempty" valid:"range(1024|65535)"`

	// Configures how Netagent will determine its public IP
	PublicIPSource *string `json:"public_ip_source,omitempty" valid:"in(AWS|GCE|default|none)"`

	// Max percentage of CPU core usage
	CPULimit *int `json:"cpu_limit,omitempty" valid:"range(1|100)"`

	// Whether WireGuard should use a userspace or kernel space module
	UserModeTunnel *bool `json:"user_mode_tunnel,omitempty"`
}

Defaults

var DefaultMiscellaneousParameters = MiscellaneousParameters{
  AccessTier:       true,
  HostTags:         nil,
  ListenPort:       9999,
  ListenPortHealth: 9998,
  PublicIPSource:   "default",
  CPULimit:         100,
  UserModeTunnel:   false,
}

ServiceDiscoveryParameters

Type

type ServiceDiscoveryParameters struct {
	// Enable or disable DNS and conntrack logging
	ServiceDiscoveryEnable *bool `json:"service_discovery_enable,omitempty"`

	// Message threshold for batch processing
	ServiceDiscoveryMsgLimit *int `json:"service_discovery_msg_limit,omitempty" valid:"in(100|1000|5000)"`

	// Timeout value for batch prod3wwint
	ServiceDiscoveryMsgTimeout *time.Duration `json:"service_discovery_msg_timeout,omitempty"`
}

Defaults

var DefaultServiceDiscoveryParameters = ServiceDiscoveryParameters{
	ServiceDiscoveryEnable:     false,
	ServiceDiscoveryMsgLimit:   100,
	ServiceDiscoveryMsgTimeout: 10 * time.Second,
}


Can’t find what you’re looking for?

We’re happy to help. Contact our team .